Stolen Wallets, Not Hacks, Cause the Most ID Theft? Debunked

A new report from Javelin Research is getting attention for its extraordinary claim that data breaches are responsible for only a tiny minority of identity theft cases, compared to lost wallets and other low-tech exposures. But a closer look at Javelin’s numbers casts serious doubt on the company’s conclusions.

The stat that’s getting the most buzz in Javelin’s 2009 Identity Fraud Survey Report (.pdf) comes from identity theft victims’ responses to this survey question: "How was your information obtained?" Only 11 percent of the respondents said it was lost in an online transaction, and an equal number said it was stolen in a data breach. Some 43 percent blamed a lost or stolen wallet. Here’s Javelin’s chart.

"Despite the hefty blame — largely perpetuated by the media — placed on the internet and cybercrime, online identity theft methods (phishing, hacking and malware) only accounted for 11 percent of fraud cases in 2008," claims Javelin. "The truth is, most known cases of fraud occur through traditional methods, when a criminal has direct, physical access to the victim’s information."

Damn you media! It’s time to stop this incessant hyping of the data breaches that have compromised information on hundreds of millions of consumers. Obviously, stolen wallets are the real epidemic.

But the 11 percent stat crumbles on even a casual inspection. That’s because it’s from a sub-sample of victims who know how their information was stolen. The fine print in the report reveals that the vast majority — 65 percent of identity theft victims surveyed — have no idea how their data was lost, and so they weren’t included in the chart.

If one were to add them back in, the chart would look like this.

What does Javelin think is in that giant black slice of pie? Garbage theft? Psychics gone bad? Or might it have something to do with the hackers and cashers who keep getting caught with magstripe encoders, stolen credit card data and Hefty bags filled with cash stuffed in their closets?

It’s a fair bet that the 65 percent includes most victims whose information was lost in a skimming attack or a reported data breach.
It unquestionably cabins every single victim of an identity theft that resulted from an unreported or undetected data breach.

And, of course, that 65 percent includes nobody who was mugged, pick-pocketed or lost their wallet; those consumers know exactly how their information was stolen. So however you slice it, those victims represent a small minority of identity theft victims — not the majority Javelin claims.

Update: It turns out Chris Hoofnagle at the University of California, Berkeley School of Law, made the same observation in a 2007 paper. At the time, Javelin’s takeaway was that information stolen by friends and family members was the biggest single cause of identity theft. Then, as now, Javelin simply discarded survey results from the vast majority of victims who didn’t know how their information was stolen. Hoofnagle pointed out the flaw.

Javelin’s conclusion is based on the survey responses of a very small subset of the victims who knew the identity of the perpetrator, and these responses are generalized to the rest of the respondents who did not. For this approach to be valid, the small subset would have to be sufficiently similar to the larger sample, which Javelin failed to demonstrate. Recognizing the flaws of the Javelin study, FTC has characterized the conclusion that impostors are most often friends or relatives of victims as misleading.

That this shell game was exposed so long ago makes it all the more baffling that the press — including both major U.S. news wires — is still uncritically reporting Javelin’s claims.